Comité Europe de Protección de Datos

Norwegian DPA: Administrative fine for Rælingen municipality 

Tuesday, 18 August, 2020
NO

Final decision, administrative fine for Rælingen municipality 

The Norwegian Data Protection Authority has imposed an administrative fine of EUR 47,500 to Rælingen Municipality. The fine is imposed after data concerning health of children with special needs was processed using the digital learning platform Showbie. 
- The case started when we received a notification of a personal data breach from the municipality. Upon further investigation of the case, it appeared that the level of security of the application was not proportionate with the risk, says Director-General of the Norwegian Data Protection Authority, Bjørn Erik Thon. – This is obviously a significant issue, as it has to do with both children and personal data concerning health. 

Several infringements
The infringement affects 15 children with special needs. The application Showbie has been used to send health related personal data between the school and the homes of the children. 


The necessary risk and data protection impact assessments and testing have not been completed before the application was put to use. Lack of security measures when logging in to the application has made it possible to obtain information about other children in the group. 


After the breach notification, the municipality has pointed out that there is no indication that any of the children have actually been victim to material or non-material damage, but the Norwegian Data Protection Authority has not put emphasis on this in the consideration of the case. This is because we found that the infringement itself creates a risk, regardless of whether the risk actually manifests itself in a more concrete form of damage to the affected children or not. 
The Norwegian Data Protection Authority has chosen to reduce the fine after an overall assessment, made on the basis of an inquiry from Rælingen municipality. An assessment was also made in relation to previous practice under the old law. The case has not been appealed, and the fee of EUR 47,500 is final.

You can read the origional press release in Norwegian here.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.